+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 18
Windows Server 2008 R2 Thread, Folder Permissions Question in Technical; Hi, Our ICT Teachers want to have full access to students work areas so that they can go in and ...
  1. #1
    Darylrese's Avatar
    Join Date
    Sep 2010
    Posts
    445
    Thank Post
    10
    Thanked 7 Times in 6 Posts
    Rep Power
    10

    Folder Permissions Question

    Hi,

    Our ICT Teachers want to have full access to students work areas so that they can go in and print work off / mark it. I have created a security group and added the teachers in it. I then added them to the 'homedrive' folder modify full control which contains all the students user folders in. When applying it only applies to a small amount of users and most deny access to the teachers when they try to access the files.

    When checking individual folders, the group is not there. What click box do i need to check so that all the security permissions in the sub folders are inherited without denying access to the students too?

    Im sure its simple, my mind has just gone blank and last time i tried i took ownership of all the folders by accident and no-one could access anything!

    1.jpg

    When checking sub folders, the permissions and group have not been inherited.
    Last edited by Darylrese; 30th January 2013 at 01:24 PM.

  2. #2

    Join Date
    Sep 2010
    Posts
    674
    Thank Post
    28
    Thanked 78 Times in 73 Posts
    Rep Power
    23
    are the folders underneath the top level home drives folder set to inherit from parent?
    forcing the permissions to replicated to that folder and child objects is under the advance tab in security.

    still getting used to the slightly different UI layout for 2k8r2 so this might be slightly incorrect...
    Last edited by SHimmer45; 30th January 2013 at 01:34 PM.

  3. #3
    Darylrese's Avatar
    Join Date
    Sep 2010
    Posts
    445
    Thank Post
    10
    Thanked 7 Times in 6 Posts
    Rep Power
    10
    The setup is E:\Home drives then in there is all the students folders, inside them is a My documents folder. Theres no inherit permissions on those, problem is i cant find a way of doing it in bulk.

    for example:

    2.jpg

    3.jpg

    We basically need all the 'My Documents' folders to inherit from the parent folder but also still include the exisiting permissions. For example on this account OAKill is specified as a user in the list, if i force child folders to have parent permissions (from the homedrivers folder), this im guessing will take him off the security list therefore denying him access to his work area?
    Last edited by Darylrese; 30th January 2013 at 01:59 PM.

  4. #4

    Join Date
    Sep 2010
    Posts
    674
    Thank Post
    28
    Thanked 78 Times in 73 Posts
    Rep Power
    23
    as you havent got inherited permissions running through your folder tree you will need to add them to each folder is an option (long and painful)
    are you manually creating this home directory folders?
    if you check the inherit permissions box the permissions you have defined already "shouldnt" be changed
    id create a dummy folder structure and see how it behaves and if you does what you need it to do.

  5. #5
    Darylrese's Avatar
    Join Date
    Sep 2010
    Posts
    445
    Thank Post
    10
    Thanked 7 Times in 6 Posts
    Rep Power
    10
    Oh man not looking forward to that!!

    When a new student starts we manually enter a document path in AD in their profile and it creates it for us when they log in.

  6. #6

    Join Date
    Sep 2010
    Posts
    674
    Thank Post
    28
    Thanked 78 Times in 73 Posts
    Rep Power
    23
    id still suggest doing a little test as you might not need to manually re-add anything.

  7. #7
    apeo's Avatar
    Join Date
    Sep 2005
    Location
    Lost
    Posts
    1,612
    Thank Post
    95
    Thanked 115 Times in 111 Posts
    Rep Power
    42
    Sound like you either enter it in manually or use a script in combination with cacls or icacls. BTW you can probably get away with just read access.

  8. #8

    Join Date
    Jul 2012
    Location
    Boerne Texas USA
    Posts
    45
    Thank Post
    0
    Thanked 9 Times in 9 Posts
    Rep Power
    7
    Something like:
    for /D %a in ("E:\Homedrives\*") do icacls "%~a\My Documents" /grant:r "MCA\ICT Teachers File Access":(OI)(CI)(IO)(M) /C /Q
    Last edited by jklight; 30th January 2013 at 11:08 PM. Reason: code fix

  9. #9
    Darylrese's Avatar
    Join Date
    Sep 2010
    Posts
    445
    Thank Post
    10
    Thanked 7 Times in 6 Posts
    Rep Power
    10
    Thats great thanks, will that script just add permissions to that group on all subfolders?

  10. #10

    Join Date
    Jul 2012
    Location
    Boerne Texas USA
    Posts
    45
    Thank Post
    0
    Thanked 9 Times in 9 Posts
    Rep Power
    7
    Icacls

    The (OI)(CI)(IO) means "inherit to subfolders or files" and is needed so that they don't have rights to delete the "My Documents" folder itself.
    The (M) means "Modify Rights" as apeo suggests, maybe "(R)" is what they need and not "(M)".
    T
    he /grant:r means "Grants specified user access rights. Permissions replace previously granted explicit permissions. Without :r, permissions are added to any previously granted explicit permissions." Experiment with the :r to see if it needed or not.



  11. #11
    Darylrese's Avatar
    Join Date
    Sep 2010
    Posts
    445
    Thank Post
    10
    Thanked 7 Times in 6 Posts
    Rep Power
    10
    Thanks guys. In the end we created a security group for all students and one for staff needing access, gave them the correct level of access and forced it to replace all child folder permissions from the home drive folder.

    Everyone can get in now, they just need to be added to the correct group to get into the work areas when setting up but that not issue. All the folders have the same permissions now.

    The only problem i guess is technically everyone has access to each others files as long as they are a member of the group but their documents is redirected so they cant change the path and also they have no way of getting on the server anyway.

    I appriciate its not the best way of doing things but the document library for students is forced via GPO so i can't see an issue until we have time to completely change the file structure in the future. They also dont have access to the e drive so unless they manage to get the admin account they cant do anything anyway
    Last edited by Darylrese; 31st January 2013 at 10:40 PM.

  12. #12

    Join Date
    Jul 2012
    Location
    Boerne Texas USA
    Posts
    45
    Thank Post
    0
    Thanked 9 Times in 9 Posts
    Rep Power
    7
    I would say that that is not what I would recommend. If "technically" everyone has access to each others files then in all reality they *DO* have access to each others files. There are just too many ways to get places. Maybe if all the kids are under 9 or 10 years old but they really do get good at finding holes. When things go wrong, or missing, or stuff just starts showing up how do you know what is going on since permissions say anyone and everyone could be the cause? JMHO

  13. #13
    Darylrese's Avatar
    Join Date
    Sep 2010
    Posts
    445
    Thank Post
    10
    Thanked 7 Times in 6 Posts
    Rep Power
    10
    I understand i just cant see a better way of doing it without setting permissions one by one or starting again :/
    Last edited by Darylrese; 31st January 2013 at 10:45 PM.

  14. #14

    Join Date
    Jul 2012
    Location
    Boerne Texas USA
    Posts
    45
    Thank Post
    0
    Thanked 9 Times in 9 Posts
    Rep Power
    7
    Use the ICACLS command that MS provides...

  15. #15
    Darylrese's Avatar
    Join Date
    Sep 2010
    Posts
    445
    Thank Post
    10
    Thanked 7 Times in 6 Posts
    Rep Power
    10
    not used it before, a little new to this but will look into it, thank-you. Will it reset permissions for the whole structure?

    Basically we need teachers security group to have full control over the 'homedrives' folder and then each student full permission to their own folders within that

    Ok your right, i can't keep it like this, a shortcut to the folder lets a student in. If all else fails we might have to go into each folder and add the student to their own security tab one by one...there arn't thousands

    I need to reset them back to what they were and start again if possible.
    Last edited by Darylrese; 31st January 2013 at 11:24 PM.



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Interesting Folder Permissions Question
    By WiPPaH in forum Windows Server 2000/2003
    Replies: 8
    Last Post: 9th February 2010, 05:36 PM
  2. Replies: 5
    Last Post: 12th January 2007, 10:26 PM
  3. Folder Permissions
    By wesleyw in forum Windows
    Replies: 6
    Last Post: 9th January 2007, 09:25 PM
  4. DPS Folder Permissions
    By ajbritton in forum ICT KS3 SATS Tests
    Replies: 2
    Last Post: 18th December 2006, 12:09 PM
  5. Replies: 15
    Last Post: 12th October 2006, 10:37 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •